So Facebook’s Cambridge Analytica scandal has you freaked.
The social media giant’s appetite for your personal data combined with its ability to exploit it for profit regardless of societal cost has soured many on the company. But as we collectively reckon with the havoc Facebook has wrought, it’s important to take stock of the other 800-pound gorillas in the digital room: Google and Amazon.
The two companies, to varying degrees, both collect massive amounts of data on the people who use their services, and yet they’ve largely avoided the public scrutiny falling on Facebook in the wake of the 2016 U.S. presidential election. It’s time that changes.
To be clear, Google and Amazon are not Facebook. The data they collect is not unavoidably another Cambridge Analytica in the making. But just as Russian trolls’ use of Facebook to influence the election was simply an application of the company’s stated business model, so too are Google and Amazon’s massive repositories of information on Americans at risk for exploitation by someone just taking advantage of what’s being offered.
In other words, some skepticism is long past being in order.
What Amazon knows
That knowing smile.
Image: Lisa Werner/getty
Amazon has collected large amounts of data on the people that use its services, and, like Facebook, shows so-called “interest based ads” to people powered by this information. Essentially, these are targeted ads that take advantage of the information Amazon has collected on you to show you what the company thinks you are most likely to buy.
And Amazon has a lot to work with. According to the Amazon Privacy Notice, the company collects the following data on those who visit Amazon.com:
“any information you enter on our Web site or give us in any other way”
your phone numbers
credit card information
“people to whom purchases have been shipped, including addresses and phone number”
“people (with addresses and phone numbers) listed in 1-Click settings”
“e-mail addresses of your friends and other people”
“content of reviews and e-mails to us”
“personal description and photograph in Your Profile”
“financial information, including Social Security and driver’s license numbers.”
“the Internet protocol (IP) address used to connect your computer to the Internet”
your email address
your Amazon password
your “computer and connection information such as browser type, version, and time zone setting, browser plug-in types and versions, operating system, and platform”
your “purchase history, which we sometimes aggregate with similar information from other customers to create features like Top Sellers”
“the full Uniform Resource Locator (URL) clickstream to, through, and from our Web site, including date and time”
“products you viewed or searched for”
“the phone number you used to call our 800 number”
“session information, including page response times, download errors, length of visits to certain pages, page interaction information (such as scrolling, clicks, and mouse-overs), and methods used to browse away from the page”
“information about your location and your mobile device, including a unique identifier for your device”
And that’s not all, of course. Amazon also scores data on you from other sources. Some examples of that include:
Your credit history
“search term and search result information from some searches conducted through the Web search features offered by our subsidiary, Alexa Internet”
“search results and links, including paid listings (such as Sponsored Links)”
Amazon, via Alexa, also stores transcripts of interactions you have with the digital assistant in order to “improve the accuracy of the results provided to you and to improve our services.” In this case, it’s not exactly clear what “improve our services” means.
“Amazon likely knows significantly less on the average American than Google or Facebook.”
And while Amazon insists that it is “not in the business of selling [Information about our customers] to others,” that doesn’t mean the company isn’t sharing it with others. As you recall, Facebook didn’t sell any personal data to Cambridge Analytica, either. Rather, it allowed a researcher to use an app to gather that data which then made its way into the hands of the analytics company.
Amazon, of course, does share some customer data with third parties. The company’s privacy page provides a few examples of companies that may end up with some of your Amazon data via their joint offerings: “Starbucks, OfficeMax, Verizon Wireless, Sprint, T-Mobile, AT&T, J&R Electronics, Eddie Bauer and Northern Tool + Equipment.”
Specifically, insists Amazon, the data shared is limited to “information related to those transactions.”
Should we worry?
Staring deep into your soul.
Image: Drew Angerer/Getty
It’s hard to say just how much this should bother the privacy-concerned consumer. When asked if Amazon is at risk for a Cambridge Analytica-like scandal, Electronic Frontier Foundation Senior Staff Attorney Nate Cardozo explained that it’s difficult to say — and that that’s not by accident.
“With Amazon I have no idea,” he told us over the phone. “Amazon is pretty good at keeping out of the press.”
“Our privacy notice describes what information we collect and how we use it,” wrote the spokesperson. “We never sell our customers’ personal information. We encrypt data in transit and at rest, as well as offer customers the ability to turn on multi-factor authentication.”
Notably, some of those stated uses include the perhaps intentionally vague “customizing future shopping for you, improving our stores,” and providing “you with location-based services, such as advertising, search results, and other personalized content.”
So could this be weaponized in any way? It’s really unclear. Saying data is used for something as abstract as improving stores and advertising gives the company a wide berth to act within while still falling under the rules of its privacy notice. And, as Facebook’s repeated overreach and stumbles have shown, plenty can go wrong even when a company is following its own rules.
And when the rules aren’t followed? Amazon’s services actually indirectly contributed to the whole Cambridge Analytica mess in the first place. As Fast Company reported in March, the researcher Aleksandr Kogan who first acquired the data that ended up in Cambridge Analytica’s hands had some help from the Seattle-based company’s Mechanical Turk platform.
Image: Turkopticon via fast company
Kogan recruited survey takers via the micro-task platform, paying them $1 or $2 to answer a survey and allow access to their Facebook data. Notably, this was against Amazon’s terms of service and the company eventually booted Kogan from the marketplace. Still, it’s a reminder of just how many different types of data-pies Amazon has its fingers in.
In the end, it’s always better for the consumer to err on the side of caution. After all, Amazon can’t use what it doesn’t have against you.
What Google knows
Image: Smith Collection/Gado/Getty
Through its retail website, Echo, Prime memberships, and myriad of other products and services, Amazon is able to amass huge amounts of information on its customers and users. However, all that pales in comparison to Google.
“Amazon likely knows significantly less on the average American than Google or Facebook,” explained Cardozo.
When asked what data Google collects on those that use its services, Cardozo didn’t pull any punches. “Everything they can, I think is the answer,” he observed. “Google knows where you are, what you’re searching for, what you’re emailing about — at least in general terms — who you’re emailing with, [and] who your friends are.”
Google’s catalog of services and products is so vast — think Search, Gmail, Google Maps, Drive, YouTube, DoubleClick, AdWords, Chrome, Android, Chromebook, and Nest, just to name a few — that the data it gathers is likewise all encompassing.
The company lays out what types of data it collects, and, well, it’s a lot:
Things you search for
Websites you visit
Videos you watch
Ads you click on or tap
IP address and cookie data
Emails you send and receive on Gmail
Contacts you add
Photos and videos you upload
Docs, Sheets, and Slides on Drive
Email address and password
Let all that sink in. Google likely knows most places you’ve physically been since you started using its services, what you search for day in and day out, and your entire digital network (among plenty of other personally revealing tidbits).
It took me about three tries to completely turn off Google location tracking. I kept thinking I had turned it completely off, and it would just pop back up. If I can’t manage this, who is supposed to? I have a technical background and write/research about all this for a living.
— zeynep tufekci (@zeynep) March 26, 2018
If you happen to not have disabled a little feature Google calls “ads personalization,” you can see all the topics that the company thinks you’re interested in. These could be as broad as “business news” or as specific as “jazz.” If you’re interested, Google likely knows.
Notably, like Facebook, Google insists that it doesn’t sell your data. “We use data to show you these ads,” the company explains, “but we do not sell personal information like your name, email address, and payment information.”
And of course it doesn’t, as that would run directly contrary to its business model of using the information it has on you as a selling point to advertisers. Or, as Cardozo put it: “Google has a voracious appetite for data, but they also guard it jealously.”
More jealously than Facebook? We should all hope so.
Should we worry?
All around you.
Image: Smith Collection/Gado/Getty
The question of whether or not Google’s vast repository of user data could be turned against us — no matter how close to the chest the company keeps it — is not some far-flung hypothetical. After all, a company doesn’t need to let a bad actor scrape your data for it to cause real harm.
Remember those Russian trolls that used Facebook to push race-based violence? They did so by using Facebook as it was intended. Plenty of damage can be done by simply using the tools in the manner in which they were designed. And Google’s toolbox is quite large.
Importantly, the company does have API rules in place that explicitly prohibit the aggregation and resale of data to third parties. Google also has ad policies that ban certain practices such as “[re-selling] users’ contact information, using images of users in ads without their consent.”
And this is all good! In many ways, Google appears to be a more thoughtful steward of your data than Facebook has ever been. But, again, in the end it all comes back to the business model.
“If your business is building a massive surveillance machinery, the data will eventually be used & misused,” tweeted techno-sociologist Zeynep Tufekci. “Hacked, breached, leaked, pilfered, conned, ‘targeted’, ‘engaged’, ‘profiled’, sold.. There is no informed consent because it’s not possible to reasonably inform or consent.”
To further confuse matters, it’s difficult to say exactly how Google uses the data it does have.
“What Google does with it […] is almost entirely opaque,” Cardozo told us.
This should be anything but reassuring.
Facebook (and Google, too!) have great security teams. Some of the best in the business, no doubt. Full of conscientious people. But they can’t mitigate the business model. ¯_(ツ)_/¯
— zeynep tufekci (@zeynep) March 17, 2018
We reached out to Google to determine just how exactly it prevents potential misuse, both by internal and external actors, of the data it gathers. The company responded with a statement noting that it has policies in place to protect users’ privacy, but declined to detail on the record what those are.
“Google is completely focused on protecting our users’ data while making the products they love work better for them,” a spokesperson explained. “Users can see what data is collected and how it’s used in one easy place, My Account, and control it all from there. We also have policies that prohibit deceptive behavior and misuse of personal data. If we find evidence of violations we will take action.”
And sure, some of the apparent reticence to go into too much detail is likely the result of wanting to stay out of headlines. After all, these days no one wants their company mentioned in the same sentence as Facebook or Cambridge Analytica. Still, a little more openness could potentially go a long way toward reassuring the average person using Google’s services that they shouldn’t be worried it will all come back to bite them.
Because as it stands now, as Tufekci has repeatedly pointed out, Google’s business model is inherently problematic. A bite is likely coming, the question is just when and how deep the teeth will sink.
What to do
Thankfully, we are not completely powerless. We can all take steps to mitigate the data Amazon and Google collect on us, both by opting out of various ad-personalization settings and being smarter digital citizens. While you may want to delete Facebook, leaving Google and Amazon in the dust is likely a challenge of a different magnitude for many.
And anyway, as Cardozo put it, “telling 1.5 billion people that they’re wrong and to stop doing what they like is not a productive strategy.”
So what can you do? Start by installing ad blockers on your browser, the EFF makes one called Privacy Badger, and spend time getting to know your privacy settings. The burden to protect yourself and your data from abuse shouldn’t be on you, but unfortunately that’s where we are today.
In the end, however, that’s all just a Band-Aid. Real protection will need to come in the form of law. Starting on May 25, the data of European citizens will be covered by something called the General Data Protection Regulation — regulations designed “to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy.”
Folks, I want to emphasize it. We can change all this. It’s so early. The answer isn’t a retreat. There *are* healthier ways of seeking the conveniences and connectivity digital technologies allow. We need to forge ahead in new directions. It’s possible. https://t.co/qg4vivl0EV
— zeynep tufekci (@zeynep) April 6, 2018
It’s a big deal, and allows, among other things, an individual to demand that companies “erase his/her personal data, cease further dissemination of the data, and potentially have third parties halt processing of the data.”
We asked both Google and Amazon if they intend to voluntarily extend GDPR protections to U.S. citizens, but received no on the record response. Google has released a statement on GDPR, but it doesn’t mention anyone living in the U.S.
This is, to say the least, unfortunate. Because until Google and Amazon give us true and easy-to-understand control over our own data, including the ability to opt out from data collection altogether, we’re all just perpetually one slip up away from a never-ending cascade of Cambridge Analytica-like abuses.